MedQuip, a company that specialises in the production of personalised medical equipment, was recently accused of failing to reasonably secure the Protected Health Information (PHI) and Personally Identifiable Information (PII) of its customers. Between June 19 and July 12 2019, MedQuip's network was breached, with the attacker stealing over a million PHI and PII records. A law enforcement investigation and forensic analysis of MedQuip's network found that the attacker first penetrated the network through a third-party user's computer. Due to weak segmentation between non-sensitive and sensitive parts of MedQuip network, the attacker was able to access and modify sensitive PHI and PII data for the purpose of selling the data to MedQuip's competitor. MedQuip's Internal IT staff had stored sensitive data in an unencrypted format on unencrypted hard drives, making it easy for the attacker to access and steal sensitive data. This highlights a gap in knowledge with respect to appropriate IT security practices and reveals MedQuip's lack of understanding regarding the consequences of poor information security. It is estimated that the billing information of 9,000 customers was compromised. While it is understood that MedQuip has a robust IT security policy based on industry regulations, it appears the policy hasn't been enforced, making it possible for the breach to be successful. In a press conference discussing the incident, the IT director commented that while the company had an IT security policy in place to prevent such breaches, security controls defined in the policy relating to data handling and storage had not been implemented. Following further internal investigations, the concerned employees could not be penalised as the IT security policy did not meet certain criteria.
1. Discuss key goals for Information security?
2. Which of the goals mentioned in (a) was violated in the data breach at MedQuip? Discuss.
3. According to the Australian Cybercrime Act, briefly discuss, with evidence from the MedQuip case study, the level of crime that was committed in this case
4. Which Information Privacy Principle was breached in this case?
5. Describe the criteria that must be met by MedQuip to make its security policy enforceable?
6. What mistakes did senior management make with respect to the organisation's information security?
7. What mistake did the IT staff make with respect to data security?
8. Provide one (1) example each of how MedQuip may safeguard its Hardware, Software, Data, Procedure, and People.
244,337 students got unstuck by Course
Hero in the last week
Our Expert Tutors provide step by step solutions to help you excel in your courses